Secrover

Secrover is a free, open-source tool that automates generation of clear, professional HTML security audit reports for code repositories and domains. It combines dependency scanning, static code checks, and domain/SSL checks into a single shareable report.

Key Features

• Dependency vulnerability scanning using OSV-based scanners to report known issues across supported languages
• Static code checks via integrated search tools to surface potentially risky code patterns
• Domain and hosting audits: SSL/TLS, redirects, security headers, open ports, and basic hosting location info
• Produces standalone human-readable HTML reports suitable for stakeholders and public sharing
• Automation support: run one-off scans via Docker or schedule recurring scans using an internal cron (Supercronic)
• Remote export options for reports using rclone-compatible destinations (S3, SFTP, WebDAV, SMB, Google Drive)
• Support for private GitHub repositories via HTTPS Personal Access Token

Use Cases

• Generating repeatable security audit reports for open-source projects or internal repositories
• Producing client-facing or compliance-ready HTML reports after dependency and code scans
• Integrating scheduled security scans into CI workflows and exporting results to cloud storage or intranet sites

Limitations and Considerations

• Private repository cloning currently works only over HTTPS with a GitHub Personal Access Token; SSH is not supported
• Dependency scanning and language coverage depend on the capabilities of the integrated external scanners (e.g., OSV scanner)
• Scans of very large repositories or many targets may be resource- and time-intensive when run in single-container setups

Secrover is a practical choice when you need transparent, shareable security audit reports without a proprietary SaaS dependency. It is designed for simple Docker-based deployment, automation via cron or CI, and flexible export destinations for report distribution.